piv-go
piv-go copied to clipboard
go-piv
replace c_pcsclite with go-libpcsclite
This a question not an issue, my question is I recently came across the library go-libpcsclite which is implemented completely in go, I tried to test it (not intensive) but it worked for me (signing and verifying). So I ran a complete test using (go test -v ./... --wipe-yubikey) and it was 80% successful, if took the time to fix the other issues would you merge the change into the main repository.
--- PASS: TestYubiKeySignECDSA (4.44s)
=== RUN TestYubiKeyECDSASharedKey
=== RUN TestYubiKeyECDSASharedKey/good
=== RUN TestYubiKeyECDSASharedKey/bad
=== RUN TestYubiKeyECDSASharedKey/bad/size
--- PASS: TestYubiKeyECDSASharedKey (0.18s)
--- PASS: TestYubiKeyECDSASharedKey/good (0.06s)
--- PASS: TestYubiKeyECDSASharedKey/bad (0.01s)
--- PASS: TestYubiKeyECDSASharedKey/bad/size (0.01s)
=== RUN TestPINPrompt
=== RUN TestPINPrompt/Never
=== RUN TestPINPrompt/Once
=== RUN TestPINPrompt/Always
--- PASS: TestPINPrompt (1.15s)
--- PASS: TestPINPrompt/Never (0.38s)
--- PASS: TestPINPrompt/Once (0.38s)
--- PASS: TestPINPrompt/Always (0.39s)
=== RUN TestSlots
=== RUN TestSlots/Authentication
=== RUN TestSlots/CardAuthentication
=== RUN TestSlots/KeyManagement
=== RUN TestSlots/Signature
--- PASS: TestSlots (2.74s)
--- PASS: TestSlots/Authentication (0.47s)
--- PASS: TestSlots/CardAuthentication (0.46s)
--- PASS: TestSlots/KeyManagement (0.46s)
--- PASS: TestSlots/Signature (0.47s)
=== RUN TestYubiKeySignRSA
=== RUN TestYubiKeySignRSA/rsa1024
=== RUN TestYubiKeySignRSA/rsa2048
--- PASS: TestYubiKeySignRSA (2.31s)
--- PASS: TestYubiKeySignRSA/rsa1024 (0.71s)
--- PASS: TestYubiKeySignRSA/rsa2048 (1.59s)
=== RUN TestYubiKeyDecryptRSA
=== RUN TestYubiKeyDecryptRSA/rsa1024
=== RUN TestYubiKeyDecryptRSA/rsa2048
--- PASS: TestYubiKeyDecryptRSA (7.79s)
--- PASS: TestYubiKeyDecryptRSA/rsa1024 (0.71s)
--- PASS: TestYubiKeyDecryptRSA/rsa2048 (7.08s)
=== RUN TestYubiKeyAttestation
--- PASS: TestYubiKeyAttestation (0.24s)
=== RUN TestYubiKeyStoreCertificate
--- PASS: TestYubiKeyStoreCertificate (0.18s)
=== RUN TestYubiKeyGenerateKey
=== RUN TestYubiKeyGenerateKey/ec_256
=== RUN TestYubiKeyGenerateKey/ec_384
=== RUN TestYubiKeyGenerateKey/rsa_1024
=== RUN TestYubiKeyGenerateKey/rsa_2048
--- PASS: TestYubiKeyGenerateKey (9.69s)
--- PASS: TestYubiKeyGenerateKey/ec_256 (0.10s)
--- PASS: TestYubiKeyGenerateKey/ec_384 (0.14s)
--- PASS: TestYubiKeyGenerateKey/rsa_1024 (0.65s)
--- PASS: TestYubiKeyGenerateKey/rsa_2048 (8.79s)
=== RUN TestYubiKeyPrivateKey
--- PASS: TestYubiKeyPrivateKey (0.31s)
=== RUN TestYubiKeyPrivateKeyPINError
--- PASS: TestYubiKeyPrivateKeyPINError (0.24s)
=== RUN TestRetiredKeyManagementSlot
=== RUN TestRetiredKeyManagementSlot/Non-existent_slot,_before_range
=== RUN TestRetiredKeyManagementSlot/Non-existent_slot,_after_range
=== RUN TestRetiredKeyManagementSlot/First_retired_slot_key
=== RUN TestRetiredKeyManagementSlot/Last_retired_slot_key
--- PASS: TestRetiredKeyManagementSlot (0.00s)
--- PASS: TestRetiredKeyManagementSlot/Non-existent_slot,_before_range (0.00s)
--- PASS: TestRetiredKeyManagementSlot/Non-existent_slot,_after_range (0.00s)
--- PASS: TestRetiredKeyManagementSlot/First_retired_slot_key (0.00s)
--- PASS: TestRetiredKeyManagementSlot/Last_retired_slot_key (0.00s)
=== RUN TestContextClose
--- PASS: TestContextClose (0.00s)
=== RUN TestContextListReaders
--- PASS: TestContextListReaders (0.00s)
=== RUN TestHandle
--- PASS: TestHandle (0.00s)
=== RUN TestTransaction
pcsc_test.go:72: disconnecting from handle: EOF
pcsc_test.go:30: closing context: write unix @->/run/pcscd/pcscd.comm: write: broken pipe
--- FAIL: TestTransaction (2.00s)
=== RUN TestErrors
--- PASS: TestErrors (0.00s)
=== RUN TestGetVersion
pcsc_test.go:72: disconnecting from handle: EOF
pcsc_test.go:30: closing context: write unix @->/run/pcscd/pcscd.comm: write: broken pipe
--- FAIL: TestGetVersion (2.00s)
=== RUN TestCards
--- PASS: TestCards (0.00s)
=== RUN TestNewYubiKey
--- PASS: TestNewYubiKey (0.00s)
=== RUN TestMultipleConnections
piv_test.go:136: expected scErr, got connecting to smart card: invalid return code: 8010000b (sharing violation)
--- FAIL: TestMultipleConnections (0.00s)
=== RUN TestYubiKeySerial
--- PASS: TestYubiKeySerial (0.00s)
=== RUN TestYubiKeyLoginNeeded
--- PASS: TestYubiKeyLoginNeeded (0.06s)
=== RUN TestYubiKeyPINRetries
piv_test.go:177: getting retries: expected error code from empty pin
--- FAIL: TestYubiKeyPINRetries (0.00s)
=== RUN TestYubiKeyReset
--- PASS: TestYubiKeyReset (0.97s)
=== RUN TestYubiKeyLogin
--- PASS: TestYubiKeyLogin (0.01s)
=== RUN TestYubiKeyAuthenticate
--- PASS: TestYubiKeyAuthenticate (0.00s)
=== RUN TestYubiKeySetManagementKey
--- PASS: TestYubiKeySetManagementKey (0.02s)
=== RUN TestYubiKeyUnblockPIN
--- PASS: TestYubiKeyUnblockPIN (0.04s)
=== RUN TestYubiKeyChangePIN
--- PASS: TestYubiKeyChangePIN (0.03s)
=== RUN TestYubiKeyChangePUK
--- PASS: TestYubiKeyChangePUK (0.03s)
=== RUN TestChangeManagementKey
--- PASS: TestChangeManagementKey (0.01s)
=== RUN TestMetadata
--- PASS: TestMetadata (0.92s)
=== RUN TestMetadataUnmarshal
--- PASS: TestMetadataUnmarshal (0.00s)
=== RUN TestMetadataMarshal
--- PASS: TestMetadataMarshal (0.00s)
=== RUN TestMetadataUpdate
--- PASS: TestMetadataUpdate (0.00s)
=== RUN TestMetadataAdditoinalFields
--- PASS: TestMetadataAdditoinalFields (0.00s)
FAIL
FAIL github.com/go-piv/piv-go/piv 35.396s
FAIL
This is really cool! Some thoughts:
What's the OS level of support for re-implementing the pcscd communication? While this might work with PCSClite, the winscard APIs on MacOS and Windows are provided by the OS. I know MacOS you're expected to use libraries to make syscalls, for example.
Can this be implemented as an internal package for this library? I don't necessarily want to depend on getting fixes into an upstream
We'd probably want to make this opt-in if you provide a !cgo tag or something.
I would be very interested in this, since this is my only dependency in C (and thus cgo), complicating the build process. https://github.com/FiloSottile/yubikey-agent is also getting quite popular, and would also benefit from this. :)
Sorry for being so late, this library actually is stable, for some reason it work perfectly under Debian based OSes, I test it in under Ubuntu 20.04 (amd64) and Debian 9 and 10 (arm), but unfortunately under Centos OS it does not, I created a bug report but until now there is no response. I will clean my code and create a merge request with warning, but I don't know if it is senseful to do so, i did not replace the original code of piv-go, it is possible to build it with cgo library or with go-libpcsclite. I welcome any comments you might like to make
Thanks for the reply ghaithsabba@ and no worries. We're all busy :)
As I stated above I don't want to take on a dependency with 2 stars and last activity over a year ago. I'd rather just implement this from scratch internally. I'm happy to take on that work.
Do you know what the pcsclite unix protocol looks like? (Please don't link to go-libpcsclite source) I can see some details here:
https://github.com/LudovicRousseau/PCSC/blob/0680e8366e710f9310d3f108309fdfd24d18741a/src/winscard.c
Unfortunately no I don't, I am actually planning on making a fork branch from go-libpcsclite and try to fix the bug and keep maintaining the library, so if you don't have enough time to develop it from scratch, I will try to speed up the development on the library.
Okay for my own purpose, the protocol is defined here:
- https://github.com/LudovicRousseau/PCSC/blob/master/src/winscard_msg.c
- https://github.com/LudovicRousseau/PCSC/blob/master/src/winscard_msg.h
I'll take a crack at trying to write some code to integrate when I get the chance.
I've started an implementation here that appears to work: https://github.com/go-piv/piv-go/pull/85
Will finish up when I get the chance. Likely won't be before this weekend.